Revert "vfs_acl_xattr: objects without NT ACL xattr"

This reverts commit 961c4b591bb102751079d9cc92d7aa1c37f1958c.

Subsequent commits will add the same functionality as an optional
feature.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 590b80490c00587b5a4035856891e10defb654f6)

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index f5af666ced5b3008bb33698a39d1aa5cc5c49e27..85f6c650df9a768fdf966a991b40bb0a10c68784 100644 (file)
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -379,10 +379,12 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
        gid_to_sid(&group_sid, psbuf->st_ex_gid);
 
        /*
-        * We provide 2 ACEs:
-        * - Owner
-        * - NT System
-        */
+        We provide up to 4 ACEs
+               - Owner
+               - Group
+               - Everyone
+               - NT System
+       */
 
        if (mode & S_IRUSR) {
                if (mode & S_IWUSR) {
@@ -402,6 +404,39 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
                        0);
        idx++;
 
+       access_mask = 0;
+       if (mode & S_IRGRP) {
+               access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+       }
+       if (mode & S_IWGRP) {
+               /* note that delete is not granted - this matches posix behaviour */
+               access_mask |= SEC_RIGHTS_FILE_WRITE;
+       }
+       if (access_mask) {
+               init_sec_ace(&aces[idx],
+                       &group_sid,
+                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                       access_mask,
+                       0);
+               idx++;
+       }
+
+       access_mask = 0;
+       if (mode & S_IROTH) {
+               access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+       }
+       if (mode & S_IWOTH) {
+               access_mask |= SEC_RIGHTS_FILE_WRITE;
+       }
+       if (access_mask) {
+               init_sec_ace(&aces[idx],
+                       &global_sid_World,
+                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                       access_mask,
+                       0);
+               idx++;
+       }
+
        init_sec_ace(&aces[idx],
                        &global_sid_System,
                        SEC_ACE_TYPE_ACCESS_ALLOWED,